JavaScript library to create JavaScript subsets.
Simply require jsub and test your scripts against your own JavaScript subset
syntax definition. Scripts must be provided as
AST with tools like
Esprima or the Reflect.parse API:
var jsub = require('jsub');
var esprima = require('esprima');
var syntax = {
context: {
categories: {
fruits: [],
vegetables: [],
},
},
conditions: [{
type: 'Program',
}, {
type: 'ExpressionStatement',
}, {
type: 'BinaryExpression',
operator: ['*', '-'],
}, {
type: 'Literal',
raw: /^[0-9]{1,5}$/,
}, {
type: 'CallExpression',
// The $_ property creates a custom parser that will by-pass the actual
// jsub embedded child expression checker. You should use this extremely
// carefully and heavily test it. It must return an array of errors that
// prevented the rule to apply, empty if it successfully applied.
'$_': function(expression) {
// Check function name
if(
(!expression.callee) ||
'Identifier' !== expression.callee.type ||
'lengthOf' !== expression.callee.name
) {
return [new Error('E_BAD_FUNCTION_NAME')];
}
if(
1 !== expression.arguments.length ||
'Literal' !== expression.arguments[0].type ||
!/^fruits|vegetables$/.test(expression.arguments[0].value)
) {
return [new Error('E_BAD_FUNCTION_ARGS')];
}
return [];
},
}, {
type: 'CallExpression',
// The $_ property is also usefull to check sub syntaxes
'$_': function(expression) {
return jsub.bind(null, {
type: 'Literal',
raw: /^[0-9]{1,5}$/,
});
},
}],
};
var checkJavaScriptSubset = jsub.bind(null, syntax);
var script = '2 * (lengthOf("fruits") - lengthOf("vegetables"))';
var javaScriptAST = esprima.parse(script);
checkJavaScriptSubset(javaScriptAST);
// []
// returns an empty array since there is no syntax violation
jsub uses a white list to check every AST node of your application so it
fallbacks to security, you can now run your script safely without having to
sandbox it!
var script = '2 * (lengthOf("fruits") - lengthOf("vegetables"))';
var context = {
vegetables: ['salad', 'potato'],
fruits: ['cherry'],
lengthOf: function(arrayName) {
return context[arrayName].length;
},
};
runFunction = new Function(
'var fruits = this.fruits;\n' +
'var vegetables = this.vegetables;\n' +
'var lengthOf = this.lengthOf;\n' +
'return (' + script + ');'
);
console.log(runFunction.call(context));
// -2
Check the given ast script according to the syntax definition, returns an
array containing the script syntax violations according to the definition.
FAQs
JavaScript library to create JavaScript subsets
The npm package jsub receives a total of 0 weekly downloads. As such, jsub popularity was classified as not popular.
We found that jsub demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.
Research
Security News
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.
Security News
Company News
Socket is joining TC54 to help develop standards for software supply chain security, contributing to the evolution of SBOMs, CycloneDX, and Package URL specifications.